Good morning everyone,
in the Securing Debian Manual it is described how to remove
CAP_LINUX_IMMUTABLE from the system, so that the file attributes 'i' and
'a' can't be change afterwards (until the next reboot) [1]. That doesn't
seem to work in recent versions of Debian anymore, because -- if I
un
On Sunday 16 January 2005 13:26, Alvin Oga <[EMAIL PROTECTED]>
wrote:
> suse ( sorry), seems to ship with SELinux enabled... and sometimes causes
> problems that i have to go in and turn it all off ( good again ? )
> - i haven't figured which SELinux options work and which don't
Best to join #se
On Sunday 16 January 2005 13:04, hanasaki <[EMAIL PROTECTED]> wrote:
> so what do you recommend for security?
>
> also what about rsbac? where does this fit in?
RSBAC is not based on the LSM interface so it won't go into the standard
kernel.org kernel tree. It's a patch that has to be applied t
hat seems the default behavior by now, but loading the capabilities LSM
> > without the disabling parameter will cause that SELinux or other linux
> > security modules wouldn't be able to register with the LSM framework.
suse ( sorry), seems to ship with SELinux enabled... and so
ge install with a kernel 2.6 does not load any
linux security kernel modules per default, neither
capabilies nor lsm, which is insecure.
That seems the default behavior by now, but loading the capabilities LSM
without the disabling parameter will cause that SELinux or other linux
security modules w
t, neither
> capabilies nor lsm, which is insecure.
That seems the default behavior by now, but loading the capabilities LSM
without the disabling parameter will cause that SELinux or other linux
security modules wouldn't be able to register with the LSM framework.
Also, it's not insecur
Hi,
I'm not sure if this list is the correct location to report
but I'll try anyway.
A sarge install with a kernel 2.6 does not load any
linux security kernel modules per default, neither
capabilies nor lsm, which is insecure.
--
lg, Chris
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with
Hello,
maybe kernel-patch-ctx (together with some user space utilities included
in the vserver package) can help. It gives you the possibility to limit
the superuser.
Hello,
maybe kernel-patch-ctx (together with some user space utilities included
in the vserver package) can help. It gives you the possibility to limit
the superuser.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Adam ENDRODI <[EMAIL PROTECTED]> writes:
> -- Problem 3: I'd like to grant or revoke capabilities to/from
> a running process.
>
> This seems to be the easiest, except that the kernel in the
> default configuration doesn't permit this (cap_bound doe
Hello all,
I'm toying with POSIX(-like) capabilities. I've dug up the
libcap* packages, played with their source and done some
research. Below I list three problems I need to resolve and the
conclusions I've come to.
-- Problem 1: I want to execute as root a progr
Adam ENDRODI <[EMAIL PROTECTED]> writes:
> -- Problem 3: I'd like to grant or revoke capabilities to/from
> a running process.
>
> This seems to be the easiest, except that the kernel in the
> default configuration doesn't permit this (cap_bound doe
Hello all,
I'm toying with POSIX(-like) capabilities. I've dug up the
libcap* packages, played with their source and done some
research. Below I list three problems I need to resolve and the
conclusions I've come to.
-- Problem 1: I want to execute as root a progr
On Wed, Jul 31, 2002 at 10:26:36AM -0500, Orlando wrote:
> On Wednesday 31 July 2002 06:08, Adam Olsen wrote:
>
> > Short answer: Linux mainly uses interrupt timings as an entropy
> > source, from devices that are fairly unpredictable. Assuming those
> > are secure, the entropy pool is protected
Jean-Francois Dive <[EMAIL PROTECTED]> wrote:
> i was talking to a friend, and he was describing the inability of PC
> based security devices to have proper pseudo-random number generation.
> This sounds to me that i needed some investigation. My general question
> is: does someone ever heard ab
On Wednesday 31 July 2002 06:08, Adam Olsen wrote:
> Short answer: Linux mainly uses interrupt timings as an entropy
> source, from devices that are fairly unpredictable. Assuming those
> are secure, the entropy pool is protected by a SHA hash of it's state
> when something needs random bits. (a
On Wed, Jul 31, 2002 at 07:51:03PM +1000, Jean-Francois Dive wrote:
> hello people,
>
> i was talking to a friend, and he was describing the inability of PC
> based security devices to have proper pseudo-random number generation.
> This sounds to me that i needed some investigation. My general qu
hello people,
i was talking to a friend, and he was describing the inability of PC
based security devices to have proper pseudo-random number generation.
This sounds to me that i needed some investigation. My general question
is: does someone ever heard about any type of cryptographic attack usi
fail. the idea i got from the gpg docs is it has the
ability to have a filesystem capability set so it runs with ONE extra
capability so it can use mlock() and then drop that capability. this
would be done instead of just making gpg fully suid root.
there is a ./configure option
--with-
On Sat, 24 Mar 2001 01:14:31 -0900
Ethan Benson <[EMAIL PROTECTED]> wrote:
> On Sat, Mar 24, 2001 at 12:39:03AM -0500, Daniel Jacobowitz wrote:
> >
> > Vsftpd does, too.
>
> i have read GnuPG has code to use a capability to allocate secure
> memory instead of using suid, but its only really usefu
r ext2
currently supports.
> I'm fairly sure there's a lot more - you can access them through PAM
> somehow, I think...
yes Andrew Morgan (er i think thats right..) wrote a pam module that
allows you to grant/deny certain capabilities to users when they
login, the problem is it was broke
fail. the idea i got from the gpg docs is it has the
ability to have a filesystem capability set so it runs with ONE extra
capability so it can use mlock() and then drop that capability. this
would be done instead of just making gpg fully suid root.
there is a ./configure option
--with-
On Sat, 24 Mar 2001 01:14:31 -0900
Ethan Benson <[EMAIL PROTECTED]> wrote:
> On Sat, Mar 24, 2001 at 12:39:03AM -0500, Daniel Jacobowitz wrote:
> >
> > Vsftpd does, too.
>
> i have read GnuPG has code to use a capability to allocate secure
> memory instead of using suid, but its only really usef
r ext2
currently supports.
> I'm fairly sure there's a lot more - you can access them through PAM
> somehow, I think...
yes Andrew Morgan (er i think thats right..) wrote a pam module that
allows you to grant/deny certain capabilities to users when they
login, the problem is it was b
On Thu, Mar 22, 2001 at 10:36:43AM +0100, Alexander Reelsen wrote:
> Hi folks
>
> I'm currently collecting a list of applications which make use of the
> capabilities introduced in Linux 2.2. However this list is quite short and
> I'm wondering whether I am searching
On Thu, Mar 22, 2001 at 10:36:43AM +0100, Alexander Reelsen wrote:
> Hi folks
>
> I'm currently collecting a list of applications which make use of the
> capabilities introduced in Linux 2.2. However this list is quite short and
> I'm wondering whether I am searching
sion 4 upstream
source, and split into ntp and ntpdate packages.
> I do not see why there is any need for the older version.
The point of the original posting was to identify applications that can use
"capabilities" to avoid running with root privs all the time. There is
apparently
> - xntp3 w/patch (just keeps CAP_SYS_TIME, drops uid 0)
As far as I can recall, xntp3 was split into ntp and ntpdate
somewhere around version 4. I do not see why there is any need for the
older version. Besides there used to be a .deb for it.
--
--
sion 4 upstream
source, and split into ntp and ntpdate packages.
> I do not see why there is any need for the older version.
The point of the original posting was to identify applications that can use
"capabilities" to avoid running with root privs all the time. There is
apparently
> - xntp3 w/patch (just keeps CAP_SYS_TIME, drops uid 0)
As far as I can recall, xntp3 was split into ntp and ntpdate
somewhere around version 4. I do not see why there is any need for the
older version. Besides there used to be a .deb for it.
--
-
Hi folks
I'm currently collecting a list of applications which make use of the
capabilities introduced in Linux 2.2. However this list is quite short and
I'm wondering whether I am searching wrong or the capabilities aren't
advocated enough yet or just not used as they're b
Hi folks
I'm currently collecting a list of applications which make use of the
capabilities introduced in Linux 2.2. However this list is quite short and
I'm wondering whether I am searching wrong or the capabilities aren't
advocated enough yet or just not used as they're b
Jim Breton wrote:
> Are there are good resources which provide details on how to take
> advantage of the kernel's capabilities? I've installed lcap, setpcap,
> and friends but am surprised at how little documentation I've been able
> to find (maybe I'm looki
Jim Breton wrote:
> Are there are good resources which provide details on how to take
> advantage of the kernel's capabilities? I've installed lcap, setpcap,
> and friends but am surprised at how little documentation I've been able
> to find (maybe I'm looki
Christian Hammers wrote:
>
> Hello List
>
> Is it right that there must exist a vulnerability in the server, too that
> allowes the attacker to execute code to exploit the capabilities bug?
> In other words, how severe is the urge to update the kernels on our
> product
On Thu, Jun 08, 2000 at 02:03:21PM +0200, Wichert Akkerman wrote:
> Previously Christian Hammers wrote:
> > Is it right that there must exist a vulnerability in the server, too that
> > allowes the attacker to execute code to exploit the capabilities bug?
> > In other words, h
Previously Christian Hammers wrote:
> Is it right that there must exist a vulnerability in the server, too that
> allowes the attacker to execute code to exploit the capabilities bug?
> In other words, how severe is the urge to update the kernels on our
> production systems?
It ind
Hello List
Is it right that there must exist a vulnerability in the server, too that
allowes the attacker to execute code to exploit the capabilities bug?
In other words, how severe is the urge to update the kernels on our
production systems?
bye,
-christian-
> Date: Wed, 7 Jun 2
38 matches
Mail list logo
